Voting Machine firewall details and passwords leaked online

<div dir="ltr" style="text-align: left;" trbidi="on"> <div style="margin-bottom: .0001pt; margin: 0mm;"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7B6FUrs1Xkli2dBiG8sucr_mhoaIIoVfv2I0nvFZIBpm74L9LvSHN2FbDe1nUzJ0NUVdI5v2MCvi-6QYPNPryWwmQbAzUkNvLB1F8IUvQ6WDpJ4p6zBLJO4GCYh4Erl14C6orQfKWFvY/s1600/Electronic-Voting-hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7B6FUrs1Xkli2dBiG8sucr_mhoaIIoVfv2I0nvFZIBpm74L9LvSHN2FbDe1nUzJ0NUVdI5v2MCvi-6QYPNPryWwmQbAzUkNvLB1F8IUvQ6WDpJ4p6zBLJO4GCYh4Erl14C6orQfKWFvY/s400/Electronic-Voting-hacked.jpg" width="400" /></a></div> <br /> A sysadmin at a number one mechanical device vendor denote a firewall configuration file, as well as passwords, into a public Cisco support forum in 2011, gap the corporate up to attainable attack.<br /> The config files expose a wealth of knowledge helpful to Associate in Nursing wrongdoer, as well as the name, hostname, and ASA version range. whereas <b>there's no proof that the mechanical device vendor was compromised, this accidental discharge of knowledge is "juicy intelligence,"</b> Dan Tentler, founder and corporate executive of satellite cluster, Associate in Nursing attack simulation security company, tells.<br /> <br /> "If you have got a crack team of housebreaker varieties and they are all attending to burgled a building, this firewall configuration file is that the equivalent of finding the ground set up of the building they're reaching to burgled," Tentler says.<br /> <br /> Compromising the c<b>omputer code offer chain of a mechanical device vendor would be a years-long endeavor, requiring careful designing and long-run persistence within the company's network.</b> It remains unclear if this "floor plan" was ever employed by Associate in Nursing wrongdoer because the mechanical device vendor has not answered that question with rhetorical certainty.<br /> One of the ASA devices seems to be a firewall on the company's development and testing network. Associate in Nursing wrongdoer World Health Organization used this intelligence to compromise the mechanical device vendor's network may have used works backdoors ("remote access software") to hack vote machines. they might have deep-seated refined microcode backdoors or engaged in spear phishing attacks against native election officers.<br /> <br /> A nation-state wrongdoer may even have derived the mechanical device ASCII text file and used it to seem for security flaws. "The mechanical device vendors...are actually on the microwave radar of powerful attackers, as well as nation-state adversaries," Alex Halderman, a prof of computing at the University of Michigan, Associate in Nursing a knowledgeable of mechanical device security, tells. "The networks they're mistreatment for developing, testing, and debugging election system computer code area unit probably to be probed by attackers World Health Organization would wish to weaken the protection of our elections."<br /> <br /> "If you'll get into one in every of these vendors," he adds, <b>"take the ASCII text file to the vote machines, that is of huge advantage to somebody UN agency needs to attack them."</b><br /> In the forum postings, that area unit still public at the time of this writing, the mechanical device merchandiser worker asked for facilitate configuring a Cisco ASA 5505 — a firewall appliance — and includes sensitive details regarding the company's internal network layout, likewise as passwords (likely the default passwords), writing, "Here is my running config."<br /> <br /> In one forum post, the worker asks for help:<br /> I am making an attempt to line up a DMZ with an interior VLAN to transfer SFTP (SSH) firmly. I am unable to get the within the computer to attach to the SFTP (SSH) server. I actually have bought and activated the safety upgrade My DMZ server. My computer making an attempt to travel from the within to the DMZ.<br /> The employee continues to provoke facilitate, writing in another forum post, "I would really like to trammel the safety on my Firewall. am I able to take away my ‘any any’ statements in my access lists? Here's my config."<br /> <br /> It's doable, of course, that the sysadmin modified the passwords before posting to the <b>Cisco support forum, though the language used ("Here is my running config") suggests otherwise.</b> it is also doable the passwords were modified afterward.<br /> Even if the passwords were ne'er valid, this firewall config offers associate aggressor valuable intelligence. "This info is incredibly helpful for associate aggressor that’s targeting this organization with a political goal in mind," Tentler says. "If Russia found this and was deciding to focus on this organization, this can be gold."<br /> <br /> We found what we have a tendency to believe to be the employee’s LinkedIn profile, that shows the worker now not works for the corporate. Neither the mechanical device merchandiser nor the previous worker competent our press inquiries.<br /> "I hope that vendor has enforced immensely higher security coaching since 2011 so as to avoid additional security leaks of this nature," Halderman says, "but nothing that I actually have seen would lead Maine to<b> believe their security has improved to the extent necessary to stave off nation-state adversaries</b>."<br /> <br /> <br /></div> </div>

Cisco Cyber Crime evm hacking evm tempering Hacking News voting machine Voting Machine firewall details and passwords leaked online

A sysadmin at a number one mechanical device vendor denote a firewall configuration file, as well as passwords, into a public Cisco su...

Read more »

Under Armour Fitness App MyFitnessPal data breached affecting 150 million users

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt3FA8mAmz1C1o0BjaaMWheMFcBxhvgcylN7-KTbsqpGh92hAMUOWeq9gpBEfP5gWl77xbCxGB42KLXYAE6qVFRbvgZ5j6QZjg8dO9uFQnG7dXw_COuSBCVDG7qEb6MLnD_kPsFZY4s5La/s1600/under-armour-data-leak.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="470" data-original-width="940" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt3FA8mAmz1C1o0BjaaMWheMFcBxhvgcylN7-KTbsqpGh92hAMUOWeq9gpBEfP5gWl77xbCxGB42KLXYAE6qVFRbvgZ5j6QZjg8dO9uFQnG7dXw_COuSBCVDG7qEb6MLnD_kPsFZY4s5La/s640/under-armour-data-leak.png" width="640" /></a></div> <div class="MsoNormal" style="background: white; margin: 7.5pt 0mm 3.75pt;">  </div> <div class="MsoNormal" style="background: white; margin: 7.5pt 0mm 3.75pt;"> Under Armour, Inc. last week <a href="https://content.myfitnesspal.com/security-information/notice.html">announced </a>that it is notifying users of MyFitnessPal - the company's food and nutrition application and website - about a massive data breach affecting 150 million users. But according to the comapny sources, Payment card data was not compromised because it is collected and processed separately. </div> <div class="MsoNormal" style="background: white; margin: 7.5pt 0mm 3.75pt;"> A massive data breach on March 29 that impacted 150 million user accounts of the fitness vendor’s popular MyFitnessPal application Under Armour reported, which provides exercise, diet and calorie counting capabilities.<br /> "On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018.” Armour stated, Under Armour has not publicly identified the root cause of the breach.<br /> <br /> The data taken includes <b>usernames, email addresses and hashed passwords.</b> Rather than being stored in plain text, hashed passwords are scrambled cryptographically to protect passwords from being easily reused.<br /> <br /> On March 30, the company began to inform about the leakage of data to 150 million users . Users received the following e-mail:<br /> <blockquote class="tr_bq"> To the MyFitnessPal Community: <br />We have included your MyFitnessPal account information. We understand your protection and information seriously. <br />On March 25, 2018, we became aware of the MyFitnessPal user accounts. The related information included usernames, e-mail addresses, and hashed passwords - the majority of the hashing function called bcrypt used to secure passwords.<br />Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security. We are also notified and are coordinating with law enforcement authorities. <br />We are <br />notifying MyFitnessPal users to provide information on how they can protect their data. <br />We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately. <br />We continue to monitor for suspected activity. <br />We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.<br />We take our steps to safeguard your information. We recommend you: <br />Change your password for your account. MyFitnessPal account. <br />Review your accounts for suspicious activity. <br />Be cautious of any unsolicited communications. <br />Avoid clicking on links or downloading attachments from suspicious emails. <br />For more information, please go to <a href="https://content.myfitnesspal.com/security-information/FAQ.html">https://content.myfitnesspal.com/security-information/FAQ.html</a>. <br />Sincerely, <br />Paul Fipps <br />Chief Digital Officer</blockquote> <br />If you have used this application and wherever you have had the same or similar password, change it as soon as possible.<br /><br />And if you logged in via <a href="https://www.hackerschronicle.com/search/label/facebook">Facebook </a>to the application , firstly - this is not the smartest approach (never do it!), And secondly, go to the Facebook options and receive the app all rights and link again. If you really need to log in via fejs, it would be better if you created an account in your application by e-mail.<br /> <br /></div> </div>

Cyber Attack Data Leak databreach Hacking News MyFitnessPal under armour Under Armour Fitness App MyFitnessPal data breached affecting 150 million users

  Under Armour, Inc. last week announced that it is notifying users of MyFitnessPal - the company's food and nutrition application...

Read more »

Ecuador disabled Wikileaks founder Julian Assange's Internet Access

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieb-VZsU0bCIz6FcGRBe_0j_uch_S229GgnzMf5CtFhsHUxcOs2z1Sh7gKyd2Pcp8xI6qUBB5n85E59LwoWbrhExVIwV9e_thuLa4GUUrYNGFX1J_WvxwAq74tK-Et3gco38uEWWCzUS0M/s1600/julian-assange.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="julian-assange" border="0" data-original-height="596" data-original-width="1018" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieb-VZsU0bCIz6FcGRBe_0j_uch_S229GgnzMf5CtFhsHUxcOs2z1Sh7gKyd2Pcp8xI6qUBB5n85E59LwoWbrhExVIwV9e_thuLa4GUUrYNGFX1J_WvxwAq74tK-Et3gco38uEWWCzUS0M/s640/julian-assange.jpg" title="julian-assange" width="640" /></a></div> <br /> <br /> The founder of WikiLeaks has been offline for a few hours after Ecuador suspended his internet access. WikiLeaks’ founder Julian Assange can’t connect to the internet anymore.<br /> <br /> On Wednesday, Ecuador’s government posted a statement on Twitter saying it cut Assange’s internet access for sending out messages meddling with other countries’ affairs. The message, posted in Spanish, said Assange had broken a “written commitment” not to do that.<br /> <br /> “Assage’s behavior, with his messages through social networks, puts in danger the good relationships that Ecuador maintains with the United Kingdom, with the other countries in the European Union and other nations,” read the statement.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk9_KMv1NFj2miMjOcEPuxs8uYc6QlTwsRqSa32OHqcZYFAlZl0fiqCf4IwL9APqfmMxz9nNb0mJguqRdKHm1vo0QyYUFFijF_nTL7n5iR9jl5j7ZnT2i9ddkMs38fYjpoVyWdXajCSoMB/s1600/internet-disabled-julian-assange.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="745" data-original-width="593" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk9_KMv1NFj2miMjOcEPuxs8uYc6QlTwsRqSa32OHqcZYFAlZl0fiqCf4IwL9APqfmMxz9nNb0mJguqRdKHm1vo0QyYUFFijF_nTL7n5iR9jl5j7ZnT2i9ddkMs38fYjpoVyWdXajCSoMB/s640/internet-disabled-julian-assange.PNG" width="507" /></a></div> <br /> Assange has been living in the Ecuadorian embassy in London since 2012, when the government granted him political asylum.<br /> <br /> It’s unclear what message or messages in particular got Assange in trouble. Ecuador’s government and Ecuador’s embassy in Washington DC did not immediately respond to a request for comment via email.<br /> <br /> Assange spent much of Tuesday on Twitter posting several tweets related to the arrest of Catalan independentist politician Carles Puigdemont. Puigdemont was arrested in Germany on Sunday. The politician fled Spain after declaring the Catalan independence last year. The Spanish government has indicted him for crimes of rebellion and sedition, among others, and issued a European arrest warrant.<br /> <br /> He also posted a somewhat cryptic, an seemingly apropos of nothing, tweet in Spanish that said: “I won’t have the right to speak about political prisoners who were interfered with under any circumstance.”<br /> <br /> Assange often comments on international affairs on his personal Twitter account, as well as the WikiLeaks official one. In 2016 and in 2017 he often commented on American politics and the US elections.<br /> <br /> WikiLeaks supporters, such as MEGA’s founder Kim Dotcom, took it to Twitter to protest, using the hashtag #ReconnectAssange.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL8Tn2ttv98Cj1RuTMpuCLkD0SPOUFp32-EXL28XYJjBGnPReNrKzkso7WkIRFOsohTi7gNuqQFoXPbLKJXNCRWHG0a0CLa8Fg5JCExCKt12DLLB_8Qv6J3WwX4OQsjsYnWYX3Ds9-SlCe/s1600/ReconnectJulian.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="618" data-original-width="648" height="381" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL8Tn2ttv98Cj1RuTMpuCLkD0SPOUFp32-EXL28XYJjBGnPReNrKzkso7WkIRFOsohTi7gNuqQFoXPbLKJXNCRWHG0a0CLa8Fg5JCExCKt12DLLB_8Qv6J3WwX4OQsjsYnWYX3Ds9-SlCe/s400/ReconnectJulian.PNG" width="400" /></a></div> <br /></div>

Hacking News julian assange politics ReconnectAssange wikileaks Ecuador disabled Wikileaks founder Julian Assange's Internet Access

The founder of WikiLeaks has been offline for a few hours after Ecuador suspended his internet access. WikiLeaks’ founder Julian Assan...

Read more »

Intel CPUs Vulnerable To New Spectre-Like Attack, BranchScope

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-OgISz-LWmIqbGtXLg6c-5TcL-lE1G9t1shQoILWCUnuGovEIVJZ45gZA2mz_a1ia22TODVdCE7G0V37HVPFnR5H0Zk5jNmRKLoMnka2655VsKMsOK0C_YErOBXlhyphenhyphenjZG3zl3EJF4A-nK/s1600/BranchScope.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Intel CPUs Are Now Vulnerable to BranchScope Attacks.After Meltdown and Spectre" border="0" data-original-height="455" data-original-width="1250" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-OgISz-LWmIqbGtXLg6c-5TcL-lE1G9t1shQoILWCUnuGovEIVJZ45gZA2mz_a1ia22TODVdCE7G0V37HVPFnR5H0Zk5jNmRKLoMnka2655VsKMsOK0C_YErOBXlhyphenhyphenjZG3zl3EJF4A-nK/s640/BranchScope.png" title="Intel CPUs Are Now Vulnerable to BranchScope Attacks.After Meltdown and Spectre" width="640" /></a></div> <br /> <br /> Security researchers have discovered a new wave of attacks called <b>BranchScope</b>. Yet we're not done with the Meltdown and Spectre security flaws that put billions of devices at risk of attacks.<br /> <br /> <b>BranchScope : </b>It's a <b>new side-channel attack </b>discovered by four security researchers<b> </b>from College of William and Mary, Carnegie Mellon University in Qatar, University of California Riverside, and Binghamton University, which could affect devices powered by Intel processors and which may be immune to the <a href="http://www.hackerschronicle.com/search/label/meltdown">Meltdown </a>and Spectre mitigations.<br /> <br /> According to their <a href="http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf">paper</a>, even if they are a bit more sophisticated, the BranchScope attacks can do the same damage as the <a href="http://www.hackerschronicle.com/search/label/spectre">Spectre </a>and Meltdown flaws, in the way that an<b> attacker can exploit the security vulnerability to retrieve sensitive data from the unpatched system, including passwords and encryption keys,</b> by manipulating the shared directional branch predictor.<br /> <br /> "<b>The success of the attack largely depends on the ability to perform branch manipulations with precise timing,</b>" reads the paper. "The attacker controlled OS can easily manipulate victim execution timings. For example, the attacker can configure the Advanced Programmable Interrupt Controller (APIC) in such a way that enclave code is interrupted after several instructions are executed."<br /> <br /> Sandy Bridge, Haswell, and Skylake processors affected The researchers have demonstrated the BranchScope attack on three recent Intel Core i5 and Core i7 x86_64 (64-bit) processor families, including Sandy Bridge, Haswell, and Skylake. The worst part of these attacks is that BranchScope can be extended, offering attackers additional tools to perform more advanced and flexible attacks that target even applications running inside Intel SGX (Software Guard Extensions) enclaves.<br /> <br /> In their paper, which is a must read if you want to learn everything there is to know about the BranchScope vulnerability, the security<b> researchers have proposed software- and hardware-based mitigations for the BranchScope attacks</b>. Therefore, we expect Intel to release new microcode updates for its processors that also fully patch the <a href="http://www.hackerschronicle.com/search/label/branchscope">BranchScope </a>vulnerability, so make sure you always keep your systems up-to-date.<br /> <br /> “We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”<br /> <br /> <br /></div>

branchscope Hacking News intel meltdown spectre Vulnerability Intel CPUs Vulnerable To New Spectre-Like Attack, BranchScope

Security researchers have discovered a new wave of attacks called BranchScope . Yet we're not done with the Meltdown and Spectre se...

Read more »

Source Code of Tools used by Cambridge Analytica to hijack Facebook accounts leaked

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEduR2TtnILaL7oVBznbPnhekcKb7ZUMzGSSXO-DjClOz4H8ZOa0bA67PKwukye5wjLX20yb_-8wnVZUWw54q9q-qodV4ADTCvDelRzYheXpz1mmbGYVSh5jKd3sff7a1eoufQYu76eayC/s1600/facebook-data-leak.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="800" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEduR2TtnILaL7oVBznbPnhekcKb7ZUMzGSSXO-DjClOz4H8ZOa0bA67PKwukye5wjLX20yb_-8wnVZUWw54q9q-qodV4ADTCvDelRzYheXpz1mmbGYVSh5jKd3sff7a1eoufQYu76eayC/s640/facebook-data-leak.jpg" width="640" /></a></div> AggregateIQ – a Canadian political advertising firm that played a role in the 2016 <a href="http://www.hackerschronicle.com/search/label/US%20Elections">US election</a> and the UK's "Vote Leave" Brexit campaign – left its applications and database credentials publicly accessible, security firm Upguard <a href="https://www.upguard.com/breaches/aggregate-iq-part-one">said </a>on Monday.<br /> <br /> There's no evidence that the <a href="http://www.hackerschronicle.com/search/label/Data%20Leak">exposed code</a> or data was taken. Nor is there evidence it wasn't. It was simply left accessible to the public for an unspecified period of time.<br /> <br /> In a phone interview,  Chris Vickery, Upguard's director of cyber risk research, said AggregateIQ had installed a custom version of the open source <a href="http://www.hackerschronicle.com/search/label/GitLab">GitLab </a>software version control and collaboration system.<br /> <br /> "For whatever reason, they configured it to allow registration of new accounts by the public," he said.<br /> <br /> About a week ago, on March 20, Vickery found the code repo, hosted on a GitLab subdomain of AggregateIQ.com, <a href="http://gitlab.aggregateiq.com/">gitlab.aggregateiq.com</a>.<br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhpN-mtxQ4JVaPMUSb0JYefIHe4kQbv488xyyirSu5b7ACyuNmM2V_ghqK8u1yoXGKtqPsD0njft9ZvxiSTL0GAMlWStlfg5PpnNQb19J4dbD3d_O0xjYIQ7x8CXnmissJvoTluI_07LKO/s1600/aggregatoriq-gitlab.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="968" data-original-width="1537" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhpN-mtxQ4JVaPMUSb0JYefIHe4kQbv488xyyirSu5b7ACyuNmM2V_ghqK8u1yoXGKtqPsD0njft9ZvxiSTL0GAMlWStlfg5PpnNQb19J4dbD3d_O0xjYIQ7x8CXnmissJvoTluI_07LKO/s640/aggregatoriq-gitlab.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">AggregateIQ GitLab Repository</td></tr> </tbody></table> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGOtwotX9_tYp5sm4XP0msxaecuw8sy07HyEmDixBoitOm26hCogCjtEwp9FCmwnY5DP6VmS7MTZQgSsLiK0Rq0E_dQpP7yruyFu-pagphtD4hFsI283U9Bkrl2TSvAJwj13bvZFxMDlBq/s1600/aggregatoriq-mamba-jamba.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="765" data-original-width="989" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGOtwotX9_tYp5sm4XP0msxaecuw8sy07HyEmDixBoitOm26hCogCjtEwp9FCmwnY5DP6VmS7MTZQgSsLiK0Rq0E_dQpP7yruyFu-pagphtD4hFsI283U9Bkrl2TSvAJwj13bvZFxMDlBq/s640/aggregatoriq-mamba-jamba.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Explanation of Primary Data Storage</td></tr> </tbody></table> <br /> Accessing the URL allowed him to register simply by providing an email address. After that, he was able to see the firm's tools and data.<br /> <br /> Vickery said he informed federal authorities of his findings but declined to name the specific agency, per the agency's request. He also said he informed AggregateIQ, and the biz shut down access 11 minutes later.<br /> <br /> Upguard suggests the material found – apparently used to support US Senator Ted Cruz's failed 2016 presidential campaign – raises questions about the firm's alleged ties to Cambridge Analytica, which <b>received $5.8 million for services rendered from the Cruz campaign</b>.<br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb3CUX1Yx_mfMsBIVcfaWXoXimw20oSbL7mbopFaBvD1oL2R655bmOanYDHr-UFIeUXgMWKb1JCfv4dh8upTaxvVkDpuY_qaNy_eDv4whWTR_Vjs8rqSGyOpfEKmWRkZGFGK8kWxj9H44y/s1600/ripon_voicemail_script.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="273" data-original-width="766" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb3CUX1Yx_mfMsBIVcfaWXoXimw20oSbL7mbopFaBvD1oL2R655bmOanYDHr-UFIeUXgMWKb1JCfv4dh8upTaxvVkDpuY_qaNy_eDv4whWTR_Vjs8rqSGyOpfEKmWRkZGFGK8kWxj9H44y/s640/ripon_voicemail_script.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">US Senator Ted Cruz's VoiceMail Script: Ripon_canvas</td></tr> </tbody></table> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkbL_0FhZWFF1BjqlH0tqpr5avCuvpYFn-e6o7gd1U1mSRyde4al4xu8kdQezEI2JHujT5zyDwJtgMVV_Dlz9fnEN9xpNwvNXzU7_GIqcZkCZH4Jx6hOoagX8Yn3mFNFGKc_ujgTrKSjK/s1600/ripon_dialer_commit.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="288" data-original-width="992" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkbL_0FhZWFF1BjqlH0tqpr5avCuvpYFn-e6o7gd1U1mSRyde4al4xu8kdQezEI2JHujT5zyDwJtgMVV_Dlz9fnEN9xpNwvNXzU7_GIqcZkCZH4Jx6hOoagX8Yn3mFNFGKc_ujgTrKSjK/s640/ripon_dialer_commit.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Ripon_dialer utilizing phonebanking utility.</td></tr> </tbody></table> <br /> <a href="http://www.hackerschronicle.com/search/label/cambridge%20analytica">Cambridge Analytica</a>, a UK-based data analytics firm, stands at the center of the current Facebook privacy scandal, a consequence of the biz obtaining about 50 million Facebook profiles from a researcher who took advantage of the social media site's former policy of letting app devs gather info on app users and all of their friends.<br /> <br /> <a href="http://www.hackerschronicle.com/search/label/aggregateiq">AggregateIQ </a>has been linked to Cambridge Analytica in press reports; Cambridge Analytica CEO Alexander Nix (currently suspended after undercover video of him discussing his company's tactics) has acknowledged using AggregateIQ in the past to develop software applications.<br /> <br /> A Guardian/Observer report from May 2017 alleges that Wylie, the whistleblower who helped bring the Facebook data scandal to the fore, brought AggregateIQ and Cambridge Analytica together.<br />   <br /> Read More About: <a href="http://www.hackerschronicle.com/2018/03/facebook-data-breach.html">Facebook Data Leak</a><br /> <br /> The report asserts that at one point, AggregateIQ’s address and phone number were the same as the address and phone listed for SCL Canada on Cambridge Analytica’s website.<br /> <br /> On Saturday, AggregateIQ issued a statement to distance itself from Cambridge Analytica and its parent company SCL and to assert that it has never knowingly been involved in illegal activity.<br /> <br /> "AggregateIQ has never been and is not a part of Cambridge Analytica or SCL," the Canadian company said. "Aggregate IQ has never entered into a contract with Cambridge Analytica. Chris Wylie has never been employed by AggregateIQ."<br /> <br /> Vickery expressed skepticism about AggregateIQ's disavowal of ties to Cambridge Analytica.<br /> <blockquote class="tr_bq"> I find it hard to believe that there would be such a non-relationship as they describe," he said. "I've seen compelling evidence the to contrary.</blockquote> <br /> Upguard says it discovered "a set of sophisticated applications, data management programs, advertising trackers, and information databases that collectively could be used to target and influence individuals through a variety of methods, including automated phone calls, emails, political websites, volunteer canvassing, and Facebook ads."<br /> <br /> The security biz also said it found various credentials, keys, hashes, usernames, and passwords to access AggregateIQ accounts, which would allow hackers who obtained the information to compromise accounts. Vickery clarified that the databases were not directly exposed.<br /> <blockquote class="tr_bq"> These are the tools used to interact with the data," he said. "These aren't the databases themselves.</blockquote> The credentials to access the databases through these tools were available but he said he did not use them – using someone else's credentials to login without authorization carries a potential legal risk.<br /> <br /> But, said Vickery, there's mention of the Republican National Committee and a significant data store. Upguard's post contains a screenshot of an application described at the Database of Truth that combines RNC data with state voter files, consumer data, third party data providers, and other sources of information. In theory, that database could contain information on millions of US voters.<br /> <br /> Vickery said he is considering further posts about his findings but has yet to determine the details.<br /> <br /> Asked whether it is aware of Upguard's findings, a spokesperson for the Office of the Privacy Commissioner of Canada sent in the following statement:<br /> <br /> <blockquote class="tr_bq"> What we can tell you at this point is that we have been in contact with our provincial counterpart in British Columbia, which has been examining matters related to AggregateIQ and our discussions with them are ongoing. We don’t have further information to share at this time.</blockquote> </div>

aggregateiq cambridge analytica Data Leak facebook GitLab Hacking News Source Code US Elections Source Code of Tools used by Cambridge Analytica to hijack Facebook accounts leaked

AggregateIQ – a Canadian political advertising firm that played a role in the 2016 US election and the UK's "Vote Leave" ...

Read more »

MongoDB Hacked in 13 seconds demanding for ransom

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM3RrQ7ct6l67yOe5gYYcqqtZ7uqmOTa-2Gn3IK-6GnuP_5drlgq214myKQEqRc6-8cTvHbkmgct3gYNOCVwcUCNuNMWwt5zBQW6rxdlu9gvyhTePv1M82P6H4skau8qTcb_HPu6m9pJI/s1600/mongodb-hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="325" data-original-width="683" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM3RrQ7ct6l67yOe5gYYcqqtZ7uqmOTa-2Gn3IK-6GnuP_5drlgq214myKQEqRc6-8cTvHbkmgct3gYNOCVwcUCNuNMWwt5zBQW6rxdlu9gvyhTePv1M82P6H4skau8qTcb_HPu6m9pJI/s640/mongodb-hacked.jpg" width="640" /></a></div> <br /> The hackers have been exploiting unprotected MongoDB for the last couple of years, based servers to steal data and hold the exposed databases for ransom. In order to raise awareness, <b>hackers leaked 36 million records of internal data collected from several vulnerable servers.</b><br /> <br /> <br /> The IT security researchers from German firm Kromtech conducted an experiment in which they purposely left a MongoDB database exposed to the public and kept an eye on the incoming connections, to determine and measure the depth of attacks against MongoDB,.<br /> <br /> <br /> The matter seriousness can be understood by the fact that in July of 2015 John Matherly of Shodan, <b>the world’s first search engine for the Internet of Things (IoT devices) revealed that there are over 30,000 unprotected MongoDB databases exposed for public access</b>.<br /> <br /> <b>Honeypot</b>: Which is a security mechanism set to detect and counteract attempts at unauthorized use of information systems.<br /> <br /> The honeypot database contained 30GB of fake data. Little did they know, it took only three hours for hackers to identify the database before wiping out its data in just 13 seconds and leaving a ransom note demanding 0.2 Bitcoin according to Kromtech’s blog post.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSmn-WPs3HTyuG4VUdaVUsWn_d9XLO1Sjopze1P-TfmGzhXZfiL4TwwXZ8VUBX2_sRdaThLcY2Bh1uEP5-q5m26OzAkdaEyhyphenhyphenfrdL9gNLAQnSFpOpgZzS3UVk_5R0aakxJwdpdQHb0zsw/s1600/ramsom-note.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="110" data-original-width="702" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSmn-WPs3HTyuG4VUdaVUsWn_d9XLO1Sjopze1P-TfmGzhXZfiL4TwwXZ8VUBX2_sRdaThLcY2Bh1uEP5-q5m26OzAkdaEyhyphenhyphenfrdL9gNLAQnSFpOpgZzS3UVk_5R0aakxJwdpdQHb0zsw/s640/ramsom-note.png" width="640" /></a></div> <br /> Here it is noteworthy that in January 2017, hackers held several MongoDB databases for ransom and demanded 0.2 Bitcoin in return. It is unclear if the hackers who took over the honeypot database are part of the same group. However, according to Kromtech’s Chief Communication Officer Bob Diachenko, the attack on their database has been traced back to China.<br /> <br /> The researchers are certain that only an automated script can complete such task within 13 seconds.<br /> <br /> “The attacker connects to our database first, then drops the databases to delete them, drops the Journals to erase their tracks, creates a database called Warning with Readme collection and the Solution Record, then drops the Journals again to cover their tracks. This was all completed in just thirteen seconds, leading to the conclusion that this was the work of an automated script,” noted Kromtech researchers.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikc-ITCUJqScaHHfQxcIDKQNrql0zulaDQCWFOyDraoqbf7dHvVMBrc2mVGBw7joiAJ5CUatOiNogBu4owoGBJGlFLr0WmlA-AiVpU52BW7F0lbQRDyDBjIbJ8mS-6_k3EW4S4LJT2u6c/s1600/mongodb-hacked-in-13-seconds.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="419" data-original-width="768" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikc-ITCUJqScaHHfQxcIDKQNrql0zulaDQCWFOyDraoqbf7dHvVMBrc2mVGBw7joiAJ5CUatOiNogBu4owoGBJGlFLr0WmlA-AiVpU52BW7F0lbQRDyDBjIbJ8mS-6_k3EW4S4LJT2u6c/s640/mongodb-hacked-in-13-seconds.jpg" width="640" /></a></div> <br /> <b>The <a href="https://mackeepersecurity.com/post/how-long-does-it-take-for-a-mongodb-to-be-compromised">researchers </a>are advising </b>users to secure their database since exposed MongoDB servers are still at risk. <b>Another important aspect</b> of <b>ransom attacks against MongoDB is that hackers are simply deleting the database therefore even if victim pays them off, their data will never be returned.</b> Therefore, keep a back up of your data and never pay ransom in such cases.</div>

Cyber Attack Cyber Crime database Hacking News MongoDB MongoDB Hacked in 13 seconds demanding for ransom

The hackers have been exploiting unprotected MongoDB for the last couple of years, based servers to steal data and hold the exposed data...

Read more »

18.5 Million Websites Infected With Malware

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX7tz1gHmgqsrr-J_aVIopZgZubXEunrBTNrAq0HQtwzYyAXdSGnrxqAKJ8MdV_UnVTh0u8FWcayQlOibNEOIrGlRrWEzi-F5NSjTd1q6BdRC4z45xNLyFKVRYsZsOWKLNynTKk5o8XcE/s1600/website-malware-attack.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="website-malware-attack" border="0" data-original-height="438" data-original-width="1339" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX7tz1gHmgqsrr-J_aVIopZgZubXEunrBTNrAq0HQtwzYyAXdSGnrxqAKJ8MdV_UnVTh0u8FWcayQlOibNEOIrGlRrWEzi-F5NSjTd1q6BdRC4z45xNLyFKVRYsZsOWKLNynTKk5o8XcE/s640/website-malware-attack.PNG" title="website-malware-attack" width="640" /></a></div>On the internet, there are more than 1.86 billion websites. Around 1% of these -- something like 18,500,000 -- are infected with malware at a given time each week; while the average website is attacked 44 times every day.<br /> <br /> Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock's malware scanners, while a smaller subset also use the firm's cloud-based web application firewall (WAF). <b>The WAF provides insight into <a href="http://www.hackerschronicle.com/search/label/DDoS">DDoS </a>attacks against websites,</b> while the scanners provide insight into the state of malware in websites.<br /> <br /> The analysis shows an increase of <b>around 20% in the number of infected websites over Q3 2017</b>. <b>"We went from about 0.8% of our user base in Q3 to a little over 1% in Q4," Sitelock research analyst Jessica Ortega told SecurityWeek</b>. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.<br /> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi96ShNSJGwhEKKtBYEvxe-DCuwC_l6Ik61yW8duVvKOJ-jjGYp_YboO2RGKwmZmZtP49uzQxRbj6hTRZifQ00legX-H3iuO0w0ooUzTnqxgGvoNsUBTp21NdsOWadOk6BgyvgTPOD-oPo/s1600/website-attack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="800" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi96ShNSJGwhEKKtBYEvxe-DCuwC_l6Ik61yW8duVvKOJ-jjGYp_YboO2RGKwmZmZtP49uzQxRbj6hTRZifQ00legX-H3iuO0w0ooUzTnqxgGvoNsUBTp21NdsOWadOk6BgyvgTPOD-oPo/s640/website-attack.png" width="640" /></a></div><br /> Despite the increase in infected sites, continued Ortega, "The total number of attacks or attempted attacks actually decreased by about 20% -- so what we're seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through."<br /> <br /> The majority of Sitelock's customers are typically small businesses and blogs. "<b>Many website owners remain unaware that website security is their responsibility and rely too heavily </b>on popular search engines and other <b>third parties to notify them when they've been compromised</b>," <b>said Ortega.</b> This doesn't work -- less than 1 in 5 infected websites are blacklisted by the search engines.<br /> <br /> Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of <a href="http://www.hackerschronicle.com/search/label/Wordpress">WordPress</a> sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised.<br /> <br /> It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, <b>Sitelock cleaned an average of 672,655 <a href="http://www.hackerschronicle.com/search/label/Malwares">malici<span id="goog_234162612"></span><span id="goog_234162613"></span>ous </a>files every week. </b>It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages.<br /> <br /> <b>Jessica Ortega, a research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files.</b> Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before.<br /> <br /> One of the problems is that the average website is very easy to compromise. <b>Sitelock's analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS)</b> vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities.<br /> <br /> <blockquote class="tr_bq">Even CSM security updates can be used against the website if they are not immediately installed. <b>"Attackers can see what vulnerabilities have been patched in the latest update, and develop an exploit for those <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerabilities</a>.</b> They then scan the internet for, for example, WordPress sites that haven't yet been updated, and compromise them."</blockquote><br /> Understanding the attackers' motives is key to understanding the threat to small business websites. "A lot of attackers go for the low-hanging fruit, and small business websites are among the softest and easiest targets because so many owners don't even realize they need security," e<b>xplains Ortega</b>. One of the primary motivations is to improve the search engine rankings of the attackers' own customers, by inserting backlinks to the customer website.<br /> <br /> "Or they use it to attack the website's visitors -- for example, by phishing credentials," she continued; "and <b>obviously the longer that a phishing site stays up, the greater the number of credentials it can potentially steal.</b> Or they're just trying to further spread their malware to visitors via exploit kits."<br /> <br /> Compromising small business websites is a numbers game for the criminals. Each site has a relatively small reach in the volume of visitors that can be exploited, but the sheer number of sites combined with the ease of compromise makes it worthwhile. And it is complicated by being perhaps the last refuge of the skiddie. As large companies improve their own security, small companies increasingly attract low-skilled skiddies who hack for personal aggrandizement -- those who do it because they can, and then boast about it.<br /> <br /> <b>Sixteen percent of infected sites were subsequently defaced,</b> often with a political or religious message, often <b>by script skiddies</b>.<br /> For a list of best Android Mobile Hacking Apps: <a href="https://joyofandroid.com/best-hacking-apps-for-android/">Refer Here</a><br /> </div>

DDoS Hacking News Malwares sitelock Vulnerability 18.5 Million Websites Infected With Malware

On the internet, there are more than 1.86 billion websites. Around 1% of these -- something like 18,500,000 -- are infected with malware at ...

Read more »

Data Breach at Orbitz exposed 880,000 credit cards

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXXnPBMyuwTZoTNpyjN5CmLaO3JgDrV_xEgkSgKkPR0P4xYcnurZoX4pSXj-nu-cIXOoSwGopMJ_93H6fTS6HMEVLoE8LLvYMQZKa_IRliLx5uzrFD3dXuM1FW5x7oI8SLiHgrFdSJIL77/s1600/expedia-hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="533" data-original-width="800" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXXnPBMyuwTZoTNpyjN5CmLaO3JgDrV_xEgkSgKkPR0P4xYcnurZoX4pSXj-nu-cIXOoSwGopMJ_93H6fTS6HMEVLoE8LLvYMQZKa_IRliLx5uzrFD3dXuM1FW5x7oI8SLiHgrFdSJIL77/s640/expedia-hacked.jpg" width="640" /></a></div> <br /> Travel website Orbitz, a subsidiary of Expedia Inc. disclosed Tuesday a <a href="http://www.hackerschronicle.com/search/label/databreach">security breach</a> that may have exposed data for thousands of customers, including information on 8,80,000 <a href="http://www.hackerschronicle.com/search/label/Credit%20Card">credit cards</a>.<br /> <br /> The Expedia-owned travel website operator said the breach affected an older website and the platform of an unnamed business partner. The information attackers “likely accessed” included people’s names, dates of birth, email addresses, street addresses, and genders, Orbitz said.<br /> <br /> The <a href="http://www.hackerschronicle.com/search/label/Data%20Leak">data leak</a>, which took place between Oct. and Dec. and involved records dating between Jan. 1, 2016 and Dec. 22, 2017, did not affect its current website, <a href="http://orbitz.com/">Orbitz.com</a>, nor did it involve any Social Security numbers, Orbitz said. The company said it “has not found any evidence” that other customer information was affected, like travel itineraries or passports.<br /> <br /> Orbitz advised customers who used its services during the prescribed time period to check their credit and debit card billings statements and to contact their banks if they see any fraudulent charges.<br /> <br /> Orbitz said it was in the process of notifying potential victims and that it would offer them a year of free credit monitoring services. Customers with questions can visit <a href="http://orbitz.allclearid.com/">orbitz.allclearid.com</a> for more information, the company said.<br /> <blockquote class="tr_bq"> “We deeply regret the incident,” Orbitz said in a statement, noting that it was unsure whether hackers had indeed absconded with customer information. The company determined on March 1, 2018 that it had uncovered “evidence suggesting…an attacker may have accessed personal information,” it said.</blockquote> “We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” Orbitz said.<br /> <br /> Expedia’s share price fell almost 2% during the day.</div>

Credit Card Cyber Attack Cyber Crime Data Leak databreach expedia Hacking News orbitz Data Breach at Orbitz exposed 880,000 credit cards

Travel website Orbitz, a subsidiary of Expedia Inc. disclosed Tuesday a security breach that may have exposed data for thousands of cus...

Read more »

Intel processors will use hardware-based protections against Meltdown and Spectre 2

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9EtGh1NAW69qca9ByY_y1QdHET3Iwt7bxUc37EhPSlTaJJFQNiy49abJzlV0iIx62d7Ni21AFBKVob3eeDXqBb5jdZeAvaLOseuAkgrXcRP0n-2GjKGTMrF-lz5cEyFGKR21uYXhsOnee/s1600/intel-meltdown-spectre-patch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9EtGh1NAW69qca9ByY_y1QdHET3Iwt7bxUc37EhPSlTaJJFQNiy49abJzlV0iIx62d7Ni21AFBKVob3eeDXqBb5jdZeAvaLOseuAkgrXcRP0n-2GjKGTMrF-lz5cEyFGKR21uYXhsOnee/s640/intel-meltdown-spectre-patch.png" width="640" /></a></div> <br /> Intel has officially pushed out microcode updates with Spectre and Meltdown mitigations for all of the processors it launched in the past five years.<br /> <br /> In addition to this, the company’s CEO announced new, redesigned processor lines that will start shipping later this year and will include hardware-based protection for Meltdown (exploiting CVE-2017-5754, a rogue cata cache load flaw) and variant 2 of Spectre (exploiting CVE-2017-5715, a branch target injection <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability</a>).<br /> <blockquote class="tr_bq"> “While [Spectre] Variant 1 will continue to be addressed via software mitigations, we are making changes to our hardware design to further address the other two,” Intel CEO Brian Krzanich <a href="https://newsroom.intel.com/editorials/advancing-security-silicon-level/">said</a>.</blockquote> “We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 [<a href="http://www.hackerschronicle.com/search/label/spectre">Spectre</a>] and 3 [<a href="http://www.hackerschronicle.com/search/label/meltdown">Meltdown</a>]. Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors. These changes will begin with our next-generation Intel Xeon Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel Core processors expected to ship in the second half of 2018. ”<br /> <br /> He did not offer more details about these protections, but the video included in the announcement says that the Spectre variant 2 fixes will make it so that attackers can’t influence the path the speculative execution process and use misdirections to gain access to sensitive data. The solution, Intel says, “retains the many benefits of speculative execution, while addressing the threat of variant 2.”<br /> <br /> Organizations and users who don’t want to spend money on new processors will have to make do with the firmware updates for the old ones – and suffer some performance impacts.<br /> <br /> <blockquote class="tr_bq"> “We have now released <a href="https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf">microcode updates</a> for 100 percent of Intel products launched in the past five years that require protection against the side-channel method vulnerabilities discovered by Google,” Krzanich noted.</blockquote> <br /> It is on industry partners like Microsoft to implement them via firmware and software updates.<br /> <br /> Krzanich, of course, advised everyone to implement the updates as they are made available.</div>

CVE-2017-5715 Hacking News intel Malwares meltdown spectre Intel processors will use hardware-based protections against Meltdown and Spectre 2

Intel has officially pushed out microcode updates with Spectre and Meltdown mitigations for all of the processors it launched in the pas...

Read more »

Russia Linked hacking group Sofacy APT attacking European Government Agencies

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWjy6QuFllWbAluEJnhxN3IM-J47fd6jyqAfwLumiaHtJotl50ubw46Ag1dConjKBJa8CAyD7wfi_F6VGn10Yop72k-4MHqSxXg-NtfZZQ_loZbxSZz0PVc2qkputRhlEH6xS4D2klWKmV/s1600/fancy-bear-attck.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Fancy Bear attack on European Union GOvernment" border="0" data-original-height="508" data-original-width="940" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWjy6QuFllWbAluEJnhxN3IM-J47fd6jyqAfwLumiaHtJotl50ubw46Ag1dConjKBJa8CAyD7wfi_F6VGn10Yop72k-4MHqSxXg-NtfZZQ_loZbxSZz0PVc2qkputRhlEH6xS4D2klWKmV/s640/fancy-bear-attck.jpg" title="Fancy Bear attack on European Union GOvernment" width="640" /></a></div> <br /> Last week the US Government announced sanctions against five Russian entities and 19 individuals, including the FSB, the military intelligence agency GRU.<br /> <br /> Despite the sanctions, <a href="http://www.hackerschronicle.com/search/label/Russian%20Hackers">Russian hackers</a> continue to target entities worldwide, including US organizations.<br /> <br /> The Russian spy agencies and the individuals are accused of trying to influence the 2016 presidential election and launching massive <a href="http://www.hackerschronicle.com/2018/02/russian-military-involved-in-notpetya.html">NotPetya </a>ransomware campaign and other attacks on businesses in the energy industry.<br /> <br /> Last year, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as <a href="http://www.hackerschronicle.com/search/label/dragonfly">Dragonfly</a>, <a href="http://www.hackerschronicle.com/search/label/crouching%20yeti">Crouching Yeti</a>, and <a href="http://www.hackerschronicle.com/search/label/energetic%20bear">Energetic Bear</a>.<br /> <br /> Now the US-CERT updated its <a href="https://www.us-cert.gov/ncas/alerts/TA18-074A">alert </a>by providing further info that and officially linking the above APT groups to the Kremlin.<br /> <br /> The Alert (<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A">TA18-074A</a>) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it label the attackers as “Russian government cyber actors.”<br /> <blockquote class="tr_bq"> “This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert. </blockquote> <blockquote class="tr_bq"> “It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.” </blockquote> <br /> According to the DHS, based on the analysis of indicators of compromise, the Dragonfly threat actor is still very active and its attacks are ongoing.<br /> <br /> “DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”<br /> <br /> The Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of <a href="http://www.hackerschronicle.com/search/label/Russian%20Military">Russian cyberspies</a>.<br /> <br /> A few days ago, cyber security experts at Palo Alto Networks uncovered hacking campaigns launched by Sofacy against an unnamed European government agency leveraging an updated variant of the DealersChoice tool.<br /> <br /> <blockquote class="tr_bq"> “On March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice.” reads the <a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/">analysis </a>published by PaloAlto Networks.</blockquote> <br /> “The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed. One of the differences was a particularly clever evasion technique.”<br /> <br /> The attacks uncovered by PaloAlto aimed at a government organization in Europe used a spear phishing email referencing the “Underwater Defence & Security” conference, which will take place in the U.K. later this month.<br /> <br /> While previous versions of DealersChoice loaded a <a href="http://www.hackerschronicle.com/search/label/Malwares">malicious </a>Flash object as soon as the bait document was opened, the samples analyzed by PaloAlto that were related to the last attacks include the Flash object on page three of the document and it’s only loaded if users scroll down to it.<br /> <br /> “The user may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen in Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document exhibiting any malicious activity.” states the analysis.</div>

crouching yeti Cyber Attack DealersChoice dragonfly energetic bear fancy bear Hacking News Russian Hackers sofacy apt US-CERT Russia Linked hacking group Sofacy APT attacking European Government Agencies

Last week the US Government announced sanctions against five Russian entities and 19 individuals, including the FSB, the military intell...

Read more »

50 Million Facebook Accounts Hijacked to help Trump Win

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUEmmat2-sv6abghJmD2zJxbrD88SmG_6cMo92OLAiycOXq81J34cWQIQ97G_3N7YUZTas813lA1CTHxmkXCBDf5SFJZObFBjEM8XcLli-fa9DBXAZBv6hdntT0zjLWuXcIcVzGomOA5No/s1600/facebook-role-in-us-elections.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="facebook-data-used-to-help-trump-win" border="0" data-original-height="400" data-original-width="800" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUEmmat2-sv6abghJmD2zJxbrD88SmG_6cMo92OLAiycOXq81J34cWQIQ97G_3N7YUZTas813lA1CTHxmkXCBDf5SFJZObFBjEM8XcLli-fa9DBXAZBv6hdntT0zjLWuXcIcVzGomOA5No/s640/facebook-role-in-us-elections.jpg" title="facebook-data-used-to-help-trump-win" width="640" /></a></div> <br /> 50 million Facebook accounts, most of them in the United States, had their data harvested in 2014 by a company looking for ways to target people with political messages. Facebook has denied this was a data breach.<br /> <br /> A whistleblower named Christopher Wylie, who used to work at a company called Cambridge Analytica, gave a dossier of evidence including “emails, invoices, contracts and bank transfers” told to the <a href="https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election">Observer</a>.<br /> <blockquote class="tr_bq"> Cambridge Analytica data breach Whistleblower Christopher Wylie says, "We exploited Facebook to harvest millions of profiles. And built models to exploit that and target their inner demons."</blockquote> A company called Global Science Research (GSR) run by Cambridge University academic Aleksandr Kogan created an app called <b>thisisyourdigitallife </b>– a personality test people can fill out online. He worked with Cambridge Analytica which was looking for ways to influence what people think about politics. A contract was signed between GSR and a Cambridge Analytica affiliate called SCL Elections Ltd. When people filled out the personality test, they gave permission for the app to collect their Facebook data “for academic use”. However, the app also collected the data of all of the user’s Facebook friends, quickly inflating the number of people affected to the tens of millions.<br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzEZt2mdJvVTXeWFflXlH9OBAS9i8YWqwjVFqBlm7CZoECbTwX9efBHzs4Nn6O3U6PNa_7ivGa3ewUalMkZb9Tt1HSiP5__joF2qYdX5YA-PTzPdJUgD2Gj1YD4V6oXxMW9sqzT-rU1q4F/s1600/Christopher-Wylie.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="392" data-original-width="600" height="417" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzEZt2mdJvVTXeWFflXlH9OBAS9i8YWqwjVFqBlm7CZoECbTwX9efBHzs4Nn6O3U6PNa_7ivGa3ewUalMkZb9Tt1HSiP5__joF2qYdX5YA-PTzPdJUgD2Gj1YD4V6oXxMW9sqzT-rU1q4F/s640/Christopher-Wylie.jpg" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Whistleblower Christopher Wylie</td></tr> </tbody></table> <br /> The data from 50 million Facebook profiles were looked at against the electoral register, and then used to build an algorithm which analyses people’s personality traits in relation to their voting behaviour. This could then be used to find potential swing voters and create messages tailored to influence them politically. <br /> <br /> Cambridge Analytica is being investigated by the Electoral Commission for its possible role in the EU referendum and by the Information Comissioner’s Office over using data analytics for political purposes. The firm is also being investigated in the United States by special counsel Robert Mueller, a former FBI director who is investigating possible collusion between Russia and President Donald Trump’s election campaign. Wylie has also passed on his dossier of evidence to the National Crime Agency’s <a href="http://www.hackerschronicle.com/search/label/Cyber%20Crime">cybercrime </a>unit and the Information Commissioner’s Office. <br /> <br /> On Friday, just before the story broke, Facebook announced it was suspending Cambridge Analytica and GSR’s Aleksandr Kogan from Facebook while it carries out an investigation into “misuse of data”. It has also suspended whistleblower Christopher Wylie from using Facebook. Facebook denies this was a data breach, as GSR got the data “in a legitimate way” but it broke Facebook rules by passing the data on to third parties. Facebook also claims it removed the app in 2015 and written proof that all data had been destroyed. <br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0JDngUw212kzFYdmkkRzd8_J_emRKgptPvshjts-Jv2ybjWq-SoTfe5jiGSfoPhyphenhyphenN8XwVZlaxHbBhTWvO8IEMz25-E7szxKwDvq3iuVgWF1h__r36OcOuGGxrEONx-1Qi639p7wbFMLhl/s1600/steve-bannon.jpeg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="366" data-original-width="650" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0JDngUw212kzFYdmkkRzd8_J_emRKgptPvshjts-Jv2ybjWq-SoTfe5jiGSfoPhyphenhyphenN8XwVZlaxHbBhTWvO8IEMz25-E7szxKwDvq3iuVgWF1h__r36OcOuGGxrEONx-1Qi639p7wbFMLhl/s640/steve-bannon.jpeg" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Donald Trump adviser Steve Bannon</td></tr> </tbody></table> Cambridge Analytica’s vice president at the time was Steve Bannon, who was also head of the right-wing website Breitbart and was running Donald Trump’s campaign to become US President. Bannon later became President Trump’s chief of staff, but was fired last year. Cambridge Analytica was funded by Robert Mercer, a hedge fund billionaire and Trump’s biggest campaign donor. GSR’s Aleksandr Kogan is also an associate professor at St Petersburg State University in Russia and has received grants from the Russian government to research Facebook users’ emotional states. <br /> <br /> Cambridge Analytica told the Observer its contract with GSR said Kogan must seek “informed consent” for data collection. It’s affiliate SCL Elections worked with Facebook to make sure no terms had been “knowingly breached” and was given a signed statement that all data had been deleted. Cambridge Analytica also claims none of the data was used in the 2016 US presidential election.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL3cEUwXfZGi_aT6TJ1y_sxG50AXS5rkSAXZ_5e3JnOjWbv1PWBjUapBWjgkgJc4gcr3RMmpet8HVZ7H3yz7Y7hMkhwWypwmUVTrFAoseHatkUrtvFy5hrnGSnpVxcg8AD8Jib5oPH66zr/s1600/facebook-us-elections.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="693" data-original-width="861" height="513" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL3cEUwXfZGi_aT6TJ1y_sxG50AXS5rkSAXZ_5e3JnOjWbv1PWBjUapBWjgkgJc4gcr3RMmpet8HVZ7H3yz7Y7hMkhwWypwmUVTrFAoseHatkUrtvFy5hrnGSnpVxcg8AD8Jib5oPH66zr/s640/facebook-us-elections.PNG" width="640" /></a></div> </div>

aggregateiq cambridge analytica Cyber Crime Data Leak databreach donald trump facebook Hacking News US Elections 50 Million Facebook Accounts Hijacked to help Trump Win

50 million Facebook accounts, most of them in the United States, had their data harvested in 2014 by a company looking for ways to targe...

Read more »

Details about tool used by FBI to unlock any Iphone disclosed

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie9nNpjo21KXHc6fFJdGFOPCYExqI8z04EGLNY9nH8X3a9u6oLWu8L4tbJOhSh5EArzHWNcrZNK7lbnISY8iq893LiIucqNY1VA8lDCw8pi9E9uvnwmIEcirP4B-SWEyC9siHtxHQGd_ki/s1600/unlock-iphone.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="FBI's tool to unlock any iPhone disclosed" border="0" data-original-height="506" data-original-width="900" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie9nNpjo21KXHc6fFJdGFOPCYExqI8z04EGLNY9nH8X3a9u6oLWu8L4tbJOhSh5EArzHWNcrZNK7lbnISY8iq893LiIucqNY1VA8lDCw8pi9E9uvnwmIEcirP4B-SWEyC9siHtxHQGd_ki/s640/unlock-iphone.jpg" title="FBI's tool to unlock any iPhone disclosed" width="640" /></a></div> A series of hot debates about the backdoor access should be provided or not to law enforcement agencies to <a href="http://www.hackerschronicle.com/search/label/apple">Apple </a>devices started after the case of San Bernadino's locked iPhone. But anyhow agency found a way to unlock the iPhone by taking the help from an Israeli company named Cellebrite, which provides iPhone unlocking services to law enforcement agencies.<br /> <br /> But recently name of new a device known as <a href="https://graykey.grayshift.com/">GrayKey</a>, is being circulated in the market. The GrayKey claims to be able to unlock any <a href="http://www.hackerschronicle.com/search/label/iOS">iOS-powered</a> devices such as iPads, iPods and iPhones. It can also copy the data inside that phone, which can be browsed over a web based portal. Grayshift is based in Atlanta, Georgia, Grayshift was founded in 2016, and is a privately-held company with fewer than 50 employees.<br /> <br /> According to Forbes, the GrayKey <a href="http://www.hackerschronicle.com/search/label/iphone%20unlocking">iPhone unlocker</a> device is marketed for in-house use at law enforcement offices or labs. This is drastically different from Cellebrite’s overall business model, in that it puts complete control of the process in the hands of law enforcement.<br /> <br /> A security firm <a href="https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/">Malwarebytes </a>have released the leaked images and working of this device. GrayKey is a 4x4x2 inch gray box, with two lightning cables sticking out of the front. It is very much easy to crack a iPhone's passcode.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV5KY24wEDQ9bcBj3Df1ECFQJ3LZ62g1iodhjUrS0ZVYvJ5WKIBJpDY9e8459lLu7EcjoBPab8uoYbqcWu7ac2Roe3clzm4_TPywLG2Sc0neXQmUSN8icwoPoe01LTIv5VWLGmLzNzThkk/s1600/GrayKey-iphone-unlocking-device.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="GrayKey iphone unlocking device" border="0" data-original-height="288" data-original-width="600" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV5KY24wEDQ9bcBj3Df1ECFQJ3LZ62g1iodhjUrS0ZVYvJ5WKIBJpDY9e8459lLu7EcjoBPab8uoYbqcWu7ac2Roe3clzm4_TPywLG2Sc0neXQmUSN8icwoPoe01LTIv5VWLGmLzNzThkk/s640/GrayKey-iphone-unlocking-device.png" title="GrayKey iphone unlocking device" width="640" /></a></div> <br /> Two <a href="http://www.hackerschronicle.com/search/label/iphone">iPhones </a>can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. According to Grayshift, even disabled phones can be unlocked.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP95h2V4sdTVLVQtq1Clob1PUlZhyiOyjB0tsBMkC6JU_-kVthXnqt-qrrUHujK-U0chO8BCOsgrV40Rr2jFg_sASjO35z5sRoTwsOs_usUMFwUAmyLsPCQpWxBO5KpPqb7VedfCHEXOgb/s1600/GrayKey-unlocked-iPhone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="GrayKey-unlocked-iPhone.png" border="0" data-original-height="565" data-original-width="600" height="602" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP95h2V4sdTVLVQtq1Clob1PUlZhyiOyjB0tsBMkC6JU_-kVthXnqt-qrrUHujK-U0chO8BCOsgrV40Rr2jFg_sASjO35z5sRoTwsOs_usUMFwUAmyLsPCQpWxBO5KpPqb7VedfCHEXOgb/s640/GrayKey-unlocked-iPhone.png" title="GrayKey-unlocked-iPhone" width="640" /></a></div> <br /> After the device is unlocked, the full contents of the filesystem are downloaded to the GrayKey device. From there, they can be accessed through a web-based interface on a connected computer, and downloaded for analysis. The full, unencrypted contents of the key-chain are also available for download.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0IKmJuMJ4MQLHhyphenhyphendZDmg_4E_Mhd3FWVAawhkPlfG9q5R46OMUn_A4CQ-w8bkphrT7Y58itN386t4KcAuQAYI8pmSSZ_EaSI0_BKMwJ2d17ZQr1pFHbSGNQzYrs-LjndHWqN4_503juxM/s1600/iphone-jailbreak.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="FBI is using this blackbox which can unlock any iPhone in the world" border="0" data-original-height="304" data-original-width="600" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf0IKmJuMJ4MQLHhyphenhyphendZDmg_4E_Mhd3FWVAawhkPlfG9q5R46OMUn_A4CQ-w8bkphrT7Y58itN386t4KcAuQAYI8pmSSZ_EaSI0_BKMwJ2d17ZQr1pFHbSGNQzYrs-LjndHWqN4_503juxM/s640/iphone-jailbreak.png" title="FBI is using this blackbox which can unlock any iPhone in the world" width="640" /></a></div> <br /> The GrayKey device itself comes in two “flavors.” The first, a $15,000 option, requires Internet connectivity to work. It is strictly geofenced, meaning that once it is set up, it cannot be used on any other network.<br /> <br /> However, there is also a $30,000 option. At this price, the device requires no Internet connection whatsoever and has no limit to the number of unlocks. It will work for as long as Apple fixes the vulnerabilities the device depends on.</div>

apple graykey Hacking News iOS iphone iphone unlocking jailbreak Details about tool used by FBI to unlock any Iphone disclosed

A series of hot debates about the backdoor access should be provided or not to law enforcement agencies to Apple devices started after t...

Read more »

5 Million Popular Android Phones found with pre-installed malwares

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZTEE4Eu0Mm9uTy7XH2DIQs9OMuUpOneSwROHzMWaEAGRIQyz4cPiGfLnxYIBUUTRU4_h37MkHB8YdM0X6eIXS6AyFdq7hlUqzphIauQLEFd_jTmyLPnzfjmAti3ZuBbXAqyktg5xU5IQL/s1600/android-botnet-malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Millions of Android infected with RoyyenSys Malware" border="0" data-original-height="380" data-original-width="728" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZTEE4Eu0Mm9uTy7XH2DIQs9OMuUpOneSwROHzMWaEAGRIQyz4cPiGfLnxYIBUUTRU4_h37MkHB8YdM0X6eIXS6AyFdq7hlUqzphIauQLEFd_jTmyLPnzfjmAti3ZuBbXAqyktg5xU5IQL/s640/android-botnet-malware.png" title="Millions of Android infected with RoyyenSys Malware" width="640" /></a></div> <br /> Security researchers at CheckPoint have discovered that Chinese Cyber Criminals are using a malware named as RottenSys to attack android phones all over the world; almost 5 million android devices in their botnet network.<br /> <br /> <blockquote class="tr_bq"> "The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service." according to checkpoint analysis report.</blockquote> <br /> Experts found an unusual self-proclaimed system Wi-Fi service (<b>系统WIFI服务</b>) on a Xiaomi Redmi phone ans started their investigation. They found that the application does not provide any secure Wi-Fi related service to users. Instead, it asks for many sensitive Android permissions such as accessibility service permission, user calendar read access and silent download permission, which are not related to Wi-Fi service. Their key findings were: <br /> <ul style="text-align: left;"> <li>RottenSys, a mobile adware, has infected nearly 5 million devices since 2016.</li> <li>Indications show the malware could have entered earlier in the supplier chain.</li> <li>The attackers have been testing a new botnet campaign via the same C&C server.</li> </ul> <br /> The RottenSys malware implements two evasion techniques:<br /> <br /> <ul style="text-align: left;"> <li>The first technique consists of postponing operations for a set time.</li> </ul> <ul style="text-align: left;"> <li>The second technique uses a dropper which does not display any malicious activity at first. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.</li> </ul> <br /> The malicious code relies on two open-source projects:<br /> <br /> <ul style="text-align: left;"> <li>The <a href="https://github.com/wequick/small">Small virtualization</a> framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.</li> </ul> <ul style="text-align: left;"> <li>The <a href="https://github.com/Marswin/MarsDaemon">MarsDaemon library</a> that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.</li> </ul> <blockquote class="tr_bq"> “This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” according to the same the analysis.</blockquote> <br /> According to the findings, the RottenSys malware began propagating in September 2016. By 12 March 2018; 49,64,460 devices were infected by RottenSys. The <b>top impacted mobile devices brands are Honor, Huawei, and Xiaomi</b>.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXBJHEKCJ1oz9o8PufOTzv_xLou6yIZ9Q0vRJOArfc7r6bT8zbO2SqNS5Zs9VwU197EzHf4eet2quIs8LrENggDTEp67S8-WS-PtW_ez_YDXKdCr9TSnTRshxADpPqIxJ9cwq7KgGg3bm/s1600/android-phones-infected-with-rottebsys-malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="316" data-original-width="747" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXBJHEKCJ1oz9o8PufOTzv_xLou6yIZ9Q0vRJOArfc7r6bT8zbO2SqNS5Zs9VwU197EzHf4eet2quIs8LrENggDTEp67S8-WS-PtW_ez_YDXKdCr9TSnTRshxADpPqIxJ9cwq7KgGg3bm/s640/android-phones-infected-with-rottebsys-malware.png" width="640" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGg8FdzCwQIbAYcRIVctfEi3NM0An11IvuJ5860GPeAoiBxnyNdHtvisEk5BNmpRPtkff5ru3uhhJMSm7s3wdeVie4TX4k7bfzwxxVDSH4RD6fA2H_rut6fv4dy9iFvq5o1vSlOoWIjb5/s1600/chinese-phones-infected-with-malwares.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="329" data-original-width="543" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZGg8FdzCwQIbAYcRIVctfEi3NM0An11IvuJ5860GPeAoiBxnyNdHtvisEk5BNmpRPtkff5ru3uhhJMSm7s3wdeVie4TX4k7bfzwxxVDSH4RD6fA2H_rut6fv4dy9iFvq5o1vSlOoWIjb5/s640/chinese-phones-infected-with-malwares.png" width="640" /></a></div> <br /> <br /> RottenSys is totally focusing on aggressive ad network for making huge profits. In the past 10 days alone, it displayed ads 13,250,756 times (commonly called impressions) and out of which 548,822 were converted into ad clicks. We tried to roughly calculate the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for each thousand impressions. According to these calculations, <b>the attackers earned over $1,15,000 from their malicious operation in the last ten days alone!</b></div>

Botnet Chinese Hackers Hacking News honor huawei Malwares rottensys xiomi 5 Million Popular Android Phones found with pre-installed malwares

Security researchers at CheckPoint have discovered that Chinese Cyber Criminals are using a malware named as RottenSys to attack android...

Read more »

Hundreds of Organizations Worldwide Attacked by Qrypter Trojan

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAgVwEV_ZXbV1VRyhY4xYBu5TbeU1Cy8WuHTunkq65TGlmhGtJN71K0rSgE6uF6ivtc70Emv4KkurY_giuwD7iWvI13_F56FC1Yx-w8g6HuDoOtlAfdGU1oAMDm-Tmds5Ebv3sFLepRyzX/s1600/qrypter-rat.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Qrypter-Trojan-attack" border="0" data-original-height="558" data-original-width="1200" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAgVwEV_ZXbV1VRyhY4xYBu5TbeU1Cy8WuHTunkq65TGlmhGtJN71K0rSgE6uF6ivtc70Emv4KkurY_giuwD7iWvI13_F56FC1Yx-w8g6HuDoOtlAfdGU1oAMDm-Tmds5Ebv3sFLepRyzX/s640/qrypter-rat.jpg" title="Qrypter-Trojan-attack" width="640" /></a></div> According to a security firm Forcepoint, Hundreds of organizations all around the globe have been targeted in a series of attacks that leverage the <b>Qrypter remote access Trojan </b>(RAT).<br /> <br /> The <a href="http://www.hackerschronicle.com/search/label/Malwares">malware</a>, often mistaken for the <b>Adwind </b>cross-platform backdoor, has been around for a couple of years, and was developed by an underground group called ‘QUA R&D’, which offers a Malware-as-a-Service (MaaS) platform. <br /> <br /> Also known as<b> Qarallax, Quaverse, QRAT</b>, and Qontroller, Forcepoint explains that <b>Qrypter is a Java-based <a href="http://www.hackerschronicle.com/search/label/rat">RAT</a> that leverages TOR-based command and control</b> (C&C) servers. It was first detailed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.<br /> <br /> The malware is typically delivered via malicious email campaigns that usually consist of only a few hundred messages each. However, Qrypter continues to rise in prominence, and three Qrypter-related campaigns observed in February 2018 affected 243 organizations in total, Forcepoint's security researchers say. <br /> <br /> When executed on a victim’s system, Qrypter drops and runs two VBS files in the %Temp% folder, each featuring a random filename. The two scripts are meant to gather information on the firewall and anti-virus products installed on the computers. <br /> <br /> Qrypter is a plugin based <span id="goog_2122346973"></span><a href="http://www.hackerschronicle.com/search/label/Trojan">backdoor <span id="goog_2122346974"></span></a>that provides attackers with a broad range of capabilities: remote desktop connection, webcam access, file system manipulation, installation of additional files, and task manager control. <br /> <br /> The <b>RAT is available for rent for a price of $80</b>, payable in PerfectMoney, Bitcoin-Cash, or <a href="http://www.hackerschronicle.com/search/label/Bitcoin">Bitcoin</a>. Interested parties can purchase three months or one-year subscriptions for a discounted price, the security researchers discovered. <br /> <br /> An older Bitcoin address associated with payments for Qrypter subscriptions was appears to have received a total of 1.69 BTC (around $13,500 at the time of publishing). This, however, is only one of the addresses that the malware authors use, meaning that their earnings could be much higher.<br /> <br /> The malware developers provide support to their customers via a forum called ‘Black&White Guys’, which currently has over 2,300 registered members. <br /> <br /> Based on the content of the forum, the researchers were able to discover how QUA R&D operates. The group appears focused on keeping customers happy, and is regularly creating threads to inform and reassure users that their crypting service (available for $5) is fully undetected by anti-virus vendors. <br /> <br /> <blockquote class="tr_bq"> “Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Forcepoint notes. </blockquote> <br /> In addition to interacting with customers, the forum is also used to attract potential resellers, which receive discount codes to help increase Qrypter's popularity in underground circles. Furthermore, older RAT versions are offered for free to customers, and QUA R&D’s strategy also involves the cracking of competitor products, to <a href="http://www.hackerschronicle.com/2011/07/make-keylogger-and-trojan-fully.html">create FUD</a> (fear, uncertainty, and doubt) about competition.<br /> <br /> <blockquote class="tr_bq"> “While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free,” Forcepoint concludes. </blockquote> </div>

adwind Hacking News qarallax Qrypter quaverse rat Trojan Hundreds of Organizations Worldwide Attacked by Qrypter Trojan

According to a security firm Forcepoint, Hundreds of organizations all around the globe have been targeted in a series of attacks that l...

Read more »

ISRO computers infected with Malwares, Could be Hacked

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtAoCP4N_b7bZzZsDPujcRd4jTlXUpqHy2oQBMrNtsCQ68UOoIJwYgYhb-Mf3QFHpBMeM12af-3wFRZrJNX_TVnHPr9xC9UpPyIjz6fcK9Nt4KB7csDCkPXfhbwwt1AFVohsoWD4oK9MQx/s1600/ISRO-infected-with-trojan.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Malware-attack-on-ISRO" border="0" data-original-height="338" data-original-width="666" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtAoCP4N_b7bZzZsDPujcRd4jTlXUpqHy2oQBMrNtsCQ68UOoIJwYgYhb-Mf3QFHpBMeM12af-3wFRZrJNX_TVnHPr9xC9UpPyIjz6fcK9Nt4KB7csDCkPXfhbwwt1AFVohsoWD4oK9MQx/s640/ISRO-infected-with-trojan.jpg" title="Malware-attack-on-ISRO" width="640" /></a></div> <br /> Security researchers have claimed that a malware has infected computer systems of India’s premier space research agency, <a href="http://www.hackerschronicle.com/search/label/isro">Indian Space and Research Organization</a> (ISRO).<br /> <br /> Indian and French security experts believe that using the <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability</a>, hackers could have easily taken control of ISRO’s command rocket launches.<br /> <br /> On December 2017, the researchers detected a trojan malware, known as <a href="http://www.hackerschronicle.com/search/label/xtremerat">XtremeRAT</a>, in ISRO servers and they immediately reported to the agency by an Indian researcher. However, ISRO responded and resolved the issue only after French researcher Robert Baptiste reached out to the agency on Twitter.<br /> <br /> “ISRO in their conversation with me informed that that investigated and found a UTM login port that was not mapped internally to any systems.They claimed to have disabled that port for now,” said Baptiste quoting ISRO’s communication.<br /> <br /> The <a href="http://www.hackerschronicle.com/search/label/Malwares">malware </a>had infected the ISRO’s Telemetry, Tracking and Command Networks (ISTRAC) whose main function is to provide tracking support for all the satellite and launch vehicle missions of ISRO.<br /> <br /> “The malware was probably infected on a computer that had access to servers used for Tracking and Command (TTC) services that help launch vehicle lift-off till injection of a satellite. A computer which was probably used to command rocket launches and separation of a satellite. I say ‘probably infected’ because no one knows which computer was used,” said the Indian researcher.<br /> <br /> <b>XtremeRAT </b>is a commercially available <a href="http://www.hackerschronicle.com/search/label/rat">remote access Trojan</a> (RATs) used by hackers to conduct cyber espionage. There are a number of RATs that are available for free and can be purchased online. It allows the hacker to hack specific target’s servers and databases.<br /> <br /> "If infected with a <a href="http://www.hackerschronicle.com/search/label/Trojan">trojan</a>, the attacker owns the computer. The hacker can command the computer to do absolutely anything he wants. He just has to use the Remote Desktop Protocol (RDP) to access a computer. Has there been a data loss? most likely yes,” says the Indian researcher. </div>

Hacking News isro Malwares rat Trojan xtremerat ISRO computers infected with Malwares, Could be Hacked

Security researchers have claimed that a malware has infected computer systems of India’s premier space research agency, Indian Space a...

Read more »

Calendar app in Mac App Store is openly mining cryptocurrency in background

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnp2gfb-T4DnvsHXezl5oNNba6XRwuEuLIfSdCLiBD_8951TnC2rwl-U5icAfUFJTACq-v6ieYzJ7S48td97pqrXtcWOGBZKiELIxK6COmmBPKi-jlDcb5YNr38xxmHg7UHKq0Bzwntt4-/s1600/calendar-2-mining-monero.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Popular Calendar 2 app openly mines Monero by default" border="0" data-original-height="582" data-original-width="571" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnp2gfb-T4DnvsHXezl5oNNba6XRwuEuLIfSdCLiBD_8951TnC2rwl-U5icAfUFJTACq-v6ieYzJ7S48td97pqrXtcWOGBZKiELIxK6COmmBPKi-jlDcb5YNr38xxmHg7UHKq0Bzwntt4-/s640/calendar-2-mining-monero.jpg" title="Popular Calendar 2 app openly mines Monero by default" width="625" /></a></div> A schedule application in the Mac App Store <b>Calendar 2</b> has been mining <a href="http://www.hackerschronicle.com/search/label/Cryptocurrency">cryptocurrency </a>out of sight in return for giving clients extra highlights — and an alternative to quit mining has been broken. Up until this point, Apple has not taken the booking application Calendar 2 down, even after Ars Technica informed the organization that <a href="https://itunes.apple.com/us/app/calendar-2/id415181149?mt=12">Calendar 2</a> has been mining virtual currency. <br /> <br /> The application is a buffed-up variant of Apple's Calendar application in <a href="http://www.hackerschronicle.com/search/label/macOS">macOS</a>, yet as of late, its designer, Qbix, added additional code to mine <a href="http://www.hackerschronicle.com/search/label/Monero">monero</a>, an advanced coin propelled in April 2014 and intended to be a more unknown adaptation of bitcoin, as you can't see exchanges on an open record. That makes Calendar 2 something of an irregularity in the App Store — there don't have all the earmarks of being other mining applications in the store, not to mention applications that utilization mining as an approach to get extra an incentive from non-paying clients. <br /> <br /> The miner keeps running in return for giving the clients a chance to get to more premium highlights. Clients can quit by keeping premium highlights off or paying for them through the App Store. <br /> <br /> Be that as it may, as Ars noticed, the application had a bug that kept the digger running, regardless of whether clients endeavored to quit, and a moment bug that made the excavator expend a larger number of assets than initially proposed. A client noted on Twitter that the application "<b>ate 200% CPU until the point that I discovered it and murdered it. I didn't expect a mineworker contamination from an App Store seller. Amazing</b>." The application's present rating is two out of five in the App Store, with numerous current surveys docking stars due to the undesirable mining. Qbix expressed that it was highly involved with distributing a fix for the bugs. <br /> <br /> Mining programs tend to support Monero over <a href="http://www.hackerschronicle.com/search/label/Bitcoin">Bitcoin </a>or Ethereum, as Monero has a more CPU-friendly hashing calculation. </div>

Apple App Store Calender2 cryprocurrency mining Cryptocurrency Cryptocurrency Malware Cryptomining mac software macOS Monero Calendar app in Mac App Store is openly mining cryptocurrency in background

A schedule application in the Mac App Store Calendar 2 has been mining cryptocurrency out of sight in return for giving clients extra h...

Read more »

Chinese Spies using malwares to attack U.K. Government

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGm8M94_eBC7PlQ8oRsH1Y4aope0ywG21Rrhw4_Fnd_Xnf-7RQqySzE8Vivx_A0XPFFwWxmRAOdOq407qtfp7qrn9QTcDtGaAxHSyjhPgBkCp6g-H6SRtz_K2Ka2VjIXqajXnVBNl0Yd9w/s1600/Chinese-hackers-attacking-UK-Government.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Chinese Hackers Attacking UK Government with Malwares" border="0" data-original-height="667" data-original-width="1000" height="425" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGm8M94_eBC7PlQ8oRsH1Y4aope0ywG21Rrhw4_Fnd_Xnf-7RQqySzE8Vivx_A0XPFFwWxmRAOdOq407qtfp7qrn9QTcDtGaAxHSyjhPgBkCp6g-H6SRtz_K2Ka2VjIXqajXnVBNl0Yd9w/s640/Chinese-hackers-attacking-UK-Government.jpg" title="Chinese Hackers Attacking UK Government with Malwares" width="640" /></a></div> A known cyber espionage group believed to be operating out of <a href="http://www.hackerschronicle.com/search/label/Chinese%20Hackers">China </a>was last year spotted using new malware in an attack aimed at an organization that provides services to the U.K. government.<br /> <br /> Details about the attack were presented last week at Kaspersky’s Security Analyst Summit (SAS) in Cancun by Ahmed Zaki, senior malware researcher at NCC Group.<br /> <br /> The attack has been attributed to a threat actor known as APT15, Ke3chang, Mirage, Vixen Panda and Playful Dragon. NCC Group started analyzing the group’s recent activities after it targeted one of its customers, a global company that provides a wide range of services to the United Kingdom government.<br /> <br /> Acording to securityweek Researchers believe the <b>attackers had been targeting various U.K. government departments and military technology</b> through its customer. NCC has not made any statements regarding attribution, but Zaki did mention during his presentation at SAS that APT15 was particularly active during hours that correspond to working hours in East Asia.<br /> <br /> APT15 has been active since at least 2010 and it has targeted organizations all around the world using its own malware and Word, Adobe Reader and Java exploits. The group has improved its tools and techniques over the years, and NCC recently spotted two new backdoors it created.<br /> <br /> One of the backdoors has been dubbed RoyalCLI and is considered a successor of BS2005, a piece of malware that is often used by the group. RoyalCLI leverages similar encryption and encoding routines, and they both communicate with command and control (C&C) servers via Internet Explorer using the IWebBrowser2 interface.<br /> <br /> The malware uses the Windows command prompt (cmd.exe) to execute a majority of its commands. It’s designed to copy the cmd.exe file and modify it, which allows it to bypass policies that might prevent the command prompt from running on the targeted device. <br /> <br /> The second backdoor, named RoyalDNS, uses DNS, specifically TXT records, to communicate with the C&C server. This piece of malware receives commands, executes them, and returns output through DNS.<br /> <br /> In the case of the attack analyzed by NCC, the hackers compromised more than 30 hosts, with forensic artifacts showing that the initial intrusion may have occurred as early as May 2016. NCC was asked by the client to stop its investigation in June 2017, but resumed it in August after the threat actor managed to regain access to the victim’s network. Experts determined that the hackers had stolen a VPN certificate from a compromised host and used it to regain access via the corporate VPN.<br /> <br /> The commands sent by the attackers to the RoyalCLI and BS2005 malware were cached to the disk of compromised devices, allowing researchers to recover over 200 commands. Since one of the commands contained a typo, investigators determined that they were likely sent by a human operative rather than an automated process.<br /> <br /> In addition to BS2005, RoyalCLI and RoyalDNS, APT15 used custom-built keyloggers, and Microsoft SharePoint and Exchange enumeration and data dumping tools. The group’s arsenal also includes widely available tools such as Mimikatz, CSVDE, NetEnum, and RemoteExec.<br /> <br /> Moreover, the attackers relied on various Windows commands to conduct reconnaissance, including tasklist, ping, netstat, net, systeminfo, ipconfig and bcp. For lateral movement they leveraged the net command and manually copied files to and from compromised hosts.<br /> <br /> “Through our investigation we were able to identify and monitor the attack process from start to finish, offering us unique insight into the behaviour of this group,” Zaki said. “It’s clear to see that this is a highly sophisticated threat actor that has no problem writing tools which are specific to its victims.”</div>

APT Chinese Hackers Chinese Spies Hacking News RoyalCLI RoyalDNS Chinese Spies using malwares to attack U.K. Government

A known cyber espionage group believed to be operating out of China was last year spotted using new malware in an attack aimed at an org...

Read more »

Redis and Windows servers targeted by a new cryptomining malware RedisWannaMine

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdV7v7ncahe3qwjXHcok_B73pE_DNqfje6O7Q30mp3Zo1V1TZtqUKjP9luc1VvqZjcL9DdzR6EFbGO_wBBFmTFmxdrlzDHmgnmqmGYuzhv3nT1eZGKUJLuuB-GTvK96Byo-Te-UdzKKiDq/s1600/cryptoccurency-mining-malware-RedisWannaMine.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Hackers are targeting Redis and Windows servers for cryptomining " border="0" data-original-height="465" data-original-width="720" height="411" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdV7v7ncahe3qwjXHcok_B73pE_DNqfje6O7Q30mp3Zo1V1TZtqUKjP9luc1VvqZjcL9DdzR6EFbGO_wBBFmTFmxdrlzDHmgnmqmGYuzhv3nT1eZGKUJLuuB-GTvK96Byo-Te-UdzKKiDq/s640/cryptoccurency-mining-malware-RedisWannaMine.jpg" title="Hackers are targeting Redis and Windows servers for cryptomining " width="640" /></a></div> <br /> Security researchers at Imperva have come across a new <a href="http://www.hackerschronicle.com/search/label/Cryptojacking">cryptojacking </a>worm that infects Redis and Windows servers with cryptomining <a href="http://www.hackerschronicle.com/search/label/Malwares">malware</a>.<br /> <br /> The attack, which has been dubbed <a href="http://www.hackerschronicle.com/search/label/RedisWannaMine">RedisWannaMine </a>by researchers from security firm Imperva, scans for <b>misconfigured Redis deployments and Windows Servers that are still vulnerable to the Eternal Blue SMB <a href="http://www.hackerschronicle.com/search/label/Exploits">exploit</a>.</b><br /> <br /> While investigating an attack against a web server that attempted to exploit the <b>CVE-2017-9805</b> vulnerability in Apache Struts, the Imperva researchers located a command-and-control server hosting multiple attack scripts. One of those scripts was a new cryptomining downloader that exhibited worm-like behavior.<br /> <br /> When executed, the script attempts to install a variety of packages through apt-get or yum—depending on the Linux distribution—creates entries in crontab for persistence and adds a new authorized SSH key for authentication. It then proceeds to download a tool called masscan from GitHub and compiles it.<br /> <br /> <b>Masscan is a high-performance TCP port scanner</b> and is used by <b>RedisWannaMine </b>to scan external and internal IP addresses for Redis deployments. Redis is an in-memory data store that can be used as a database, cache or message broker. It is usually deployed on internal networks, but thousands of such servers have been found exposed on the internet in the past. The project page of <a href="https://github.com/robertdavidgraham/masscan">Masscan</a> describes it as “<b>TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes</b>.”<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQJMVXe1axhx_0ifPV9UQfCDbpGj7tB7CVqo97UHjD9NP-PWON8uni3Mt8IizLcBToJNJ3Zc3mHPcVqbcw_SYEPegsRg_gD2szWYtMy7mTf1mTMDI4OlM-LLyM33gKHR8POmdvnMP3Doms/s1600/mascan-TCP-Scanner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Masscan a high-performance TCP port scanner" border="0" data-original-height="206" data-original-width="845" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQJMVXe1axhx_0ifPV9UQfCDbpGj7tB7CVqo97UHjD9NP-PWON8uni3Mt8IizLcBToJNJ3Zc3mHPcVqbcw_SYEPegsRg_gD2szWYtMy7mTf1mTMDI4OlM-LLyM33gKHR8POmdvnMP3Doms/s640/mascan-TCP-Scanner.png" title="Masscan a high-performance TCP port scanner" width="640" /></a></div> <br /> <br /> When an unprotected Redis server is discovered, the script installs cryptomining malware on it and creates crontab entries for persistence. The script then launches another scan, this time for Windows Servers that accept SMB connections.<br /> <br /> The goal of the second scan is to find servers that are vulnerable to the Eternal Blue SMB exploit used by <a href="http://www.hackerschronicle.com/search/label/WannaCry">WannaCry</a>, <a href="http://www.hackerschronicle.com/search/label/notPetya">NotPetya </a>and other malware attacks over the past year. When such a servers are identified, the script downloads and installs a different cryptomining component for Windows.<br /> <br /> Compared to past cryptojacking attacks that primarily target servers available on the internet, <b>RedisWannaMine also spreads laterally through local networks, making it much more dangerous to companies.</b><br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXH9YAByWecwOsKjw_3-Hh9YEHhFJv6d1_vJ60su3ELwMZLe2IYggemN0gZj5AgFg-YHsy7XiuYUfviIo26KgUk77daHKbinqPVTKH208B9EnAWqf4wGQRsgcdyX-K9WbO6NlKtrHbzQgI/s1600/working-of-RedisWannaMine.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Working of RedisWannaMine Malware" border="0" data-original-height="570" data-original-width="1024" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXH9YAByWecwOsKjw_3-Hh9YEHhFJv6d1_vJ60su3ELwMZLe2IYggemN0gZj5AgFg-YHsy7XiuYUfviIo26KgUk77daHKbinqPVTKH208B9EnAWqf4wGQRsgcdyX-K9WbO6NlKtrHbzQgI/s640/working-of-RedisWannaMine.png" title="Working of RedisWannaMine Malware" width="640" /></a></div> <br /> The malware “is more complex in terms of evasion techniques and capabilities,” the Imperva researchers said in a report. “It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets. In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute!” </div>

Cryptocurrency Cryptojacking Cryptomining CVE-2017-9805 Redis RedisWannaMine Windows Server Redis and Windows servers targeted by a new cryptomining malware RedisWannaMine

Security researchers at Imperva have come across a new cryptojacking worm that infects Redis and Windows servers with cryptomining malwa...

Read more »

Saposhi a new malware to take down all IoT devices is out

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ8p7qWG1DwmBPgKLhzzWdUqUSRexWf70vpudaCzjinTSUdHMKaE0_AZwb1d8bUoIhdL-tpGAdYEPROknhA8DhDrAq9wy5caeaAv26qLpkHmmO5kzkSKNxBtR4vv5R83lUiTNqHsbbyYy9/s1600/Saposhi-DDoS-Malware.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Saposhi a new malware to take down all IoT devices is out" border="0" data-original-height="750" data-original-width="1000" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ8p7qWG1DwmBPgKLhzzWdUqUSRexWf70vpudaCzjinTSUdHMKaE0_AZwb1d8bUoIhdL-tpGAdYEPROknhA8DhDrAq9wy5caeaAv26qLpkHmmO5kzkSKNxBtR4vv5R83lUiTNqHsbbyYy9/s640/Saposhi-DDoS-Malware.jpg" title="Saposhi a new malware to take down all IoT devices is out" width="640" /></a></div> <br /> Cybersecurity agencies detected a new malware <b>Saposhi</b> , which can cripple the entire industries by taking over electronic devices and turning them into 'bots', which can be used for <a href="http://www.hackerschronicle.com/search/label/DDoS">Distributed Denial of Service</a> (DDoS) attacks .<br /> <br /> The <b>new malware Saposhi was detected around 15 days ago</b> according to a report of the Hindu, and is currently being watched and studied.<br /> <br /> <b>“Saposhi is similar in its intensity to Reaper, which was taking over millions of devices at the rate of 10,000 devices per day.</b> Various cybersecurity agencies are currently keeping tabs on it to get a better idea of what it is capable of,” he said.<br /> <br /> A Central Government organisation <b>'the Computer Emergency Response Team (CERT)', had issued an alert about malwares </b>Mirai, and Reaper, but has not yet issued any alert regarding the new malware.<br /> <br /> <b>“We need to first ensure that the information we have is indeed substantiated before raising alarm bells.</b> Right now, what we know for sure is that Saposhi exists, and is highly capable. Factors like whether it is aimed at any particular kind of device, or has a specific purpose are still being verified,” a officer said.<br /> <br /> <a href="http://www.hackerschronicle.com/search/label/Malwares">Malwares </a>which are primarily aimed at DDoS attacks first creates a 'botnet,'network of bots, these botnet are used to ping a server at the same time. If the<b> number of pings increases beyond the server’s capacity, the server crashes and denies service.</b> Saposhi, Reaper and Mirai are DDoS attack malwares.<br /> <br /> In July 2016, small and medium internet service providers in Maharashtra fell prey to a DDoS attack, which caused disruption in the services of several Internet Service Providers (ISP) in the State.<br /> <br /> In 2016, Mirai, using a botnet of 5 lakh devices, had caused the servers of Dyn, a leading domain name service provider, to crash, affecting services of popular websites like Twitter, Netflix and Reddit.<br /> <br /></div>

Botnet CyberSecurity DDoS Malwares Mirai News Reaper Saposhi Saposhi a new malware to take down all IoT devices is out

Cybersecurity agencies detected a new malware Saposhi , which can cripple the entire industries by taking over electronic devices and t...

Read more »

DDoS Exploit code to shutdown all vulnerable Memcached Servers Released online

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY_2biyz6S2H06vEQZNYt30moJnaKa9N1pO73gCZfgMo8cGLLI66wvY61YLyK_XtqjucFRcLrrwNEmDa3pBhJpig0791kXy2_uaPo5hU5-D2hMUlZIG2zQfPmrgfr-3safsS6y51p6X4xI/s1600/Memfixed-Mitigation-Tool.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="MEMFIXED DDOS MITIGATION TOOL" border="0" data-original-height="455" data-original-width="822" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY_2biyz6S2H06vEQZNYt30moJnaKa9N1pO73gCZfgMo8cGLLI66wvY61YLyK_XtqjucFRcLrrwNEmDa3pBhJpig0791kXy2_uaPo5hU5-D2hMUlZIG2zQfPmrgfr-3safsS6y51p6X4xI/s640/Memfixed-Mitigation-Tool.png" title="memfixed-ddos-mitigation-tool" width="640" /></a></div> <br /> For the last few days, Vulnerable Memcached Servers were targeted by hackers to conducted DDoS attacks including the <a href="http://www.hackerschronicle.com/2018/03/github-hit-with-biggest-ddos-attack.html" target="_blank">world’s largest ever 1.7 Tbps of DDoS attack on Github</a> website.<br /> <br /> After the massive attacks on memcache servers worldwide <b>three PoC codes were published online to exploit the thousands of Memcache servers still vulnerable</b>. Along with PoC code a <b>list of 17,000 vulnerable servers were also published</b>. The PoC codes could allow even script-kiddies to launch massive <a href="http://www.hackerschronicle.com/search/label/DDoS" target="_blank">DDoS </a>attacks using UDP reflections easily.<br /> <br /> But now the researchers at <a href="https://twitter.com/SpuzNiq">SPUZ.me</a> have released a new tool to shutdown all vulnearble sers at one go. The tool is named as <a href="http://www.hackerschronicle.com/search/label/Memfixed" target="_blank"><b>Memfixed</b></a>. According to the publisher: Memfixed is DDoS mitigation tool for sending flush or shutdown commands to vulnerable <a href="http://www.hackerschronicle.com/search/label/Memcache" target="_blank">Memcached </a>servers obtained using Shodan API.<br /> <br /> This tool is written in python and this allows you to shutdown/flush vulnerable Memcached servers obtained from <b>Shodan </b>search engine and utilising the killswitch published by a security researcher dormando. He has discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history. The tool also has the capability of shutting down or flushing specific vulnerable memcached servers for companies/services being attacked (assuming the user knows its IP address).<br /> <br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1K4iyFU004iDBDOTT5G39GzNB3E6VyxpcWew_pRnlbq6zzYuTjkPAd_9oDOpjdOTM4RBJ2R4KvVWTtl-wN-KHX3HnJDmCB7_KOy8EXBMKSgtusro5x01MdFQjlOAqRQI_hHJS64ZG7-Ls/s1600/Memcrashed-DDoS-Exploit.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Memcached DDoS Exploit Code" border="0" data-original-height="588" data-original-width="592" height="634" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1K4iyFU004iDBDOTT5G39GzNB3E6VyxpcWew_pRnlbq6zzYuTjkPAd_9oDOpjdOTM4RBJ2R4KvVWTtl-wN-KHX3HnJDmCB7_KOy8EXBMKSgtusro5x01MdFQjlOAqRQI_hHJS64ZG7-Ls/s640/Memcrashed-DDoS-Exploit.PNG" title="memcached-ddos-exploit-code" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Poc code to exploit vulnerable Memcache servers</td></tr> </tbody></table> <br /> Memcached is a popular open source distributed memory caching system, which came into news earlier last week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.<br /> <br /> For those unaware, Memcached-based amplification/reflection attack amplifies bandwidth of the DDoS attacks by a factor of 51,000 by exploiting thousands of misconfigured Memcached servers left exposed on the Internet.</div>

DDoS Exploit Memcache Memfixed News DDoS Exploit code to shutdown all vulnerable Memcached Servers Released online

For the last few days, Vulnerable Memcached Servers were targeted by hackers to conducted DDoS attacks including the world’s largest eve...

Read more »